Flick

Privacy Policy

Last updated: 15 May 2026 · Version 1.7.6

The short version: Flick does not collect, transmit, or store any of your personal data on any external server. Everything stays on your device.

1. What we collect

Flick collects no personal data. The extension does not ask for your name, email address, phone number, or any personally identifying information.

2. What stays on your device

The following data is stored locally in your browser using chrome.storage.local and never leaves your device:

Your Vinted session token and CSRF token — read from your existing browser session to make API calls on your behalf. These are never transmitted anywhere other than Vinted's own servers.
Your Vinted user ID — used to fetch your wardrobe listings.
Sent-offer history — which items and buyers you've sent offers to, including offer price, discount, currency, original price, item title, thumbnail, buyer username, and the offer message. Prevents duplicate offers. Automatically pruned after 90 days.
Repost run logs — timestamps, items reposted, and any failures for each repost run. Capped at 200 entries.
Scheduled repost definitions — your configured schedules including days of week, time, item limit, rotation cursor, safe mode, peak hours, and offer cooldown settings.
Up to 5 message templates — reusable offer messages with {item}, {price}, and {discount} variables.
Your preferences — which tab you last used, selected discount percentage, minimum item price filter, followed-up reminder days, and whether you've seen the onboarding screen.
Your Pro licence key — stored locally for quick validation (cached with a 1-hour expiry). The key itself is generated by the Cloudflare Worker backend and never sent anywhere else.
Daily usage counters — number of reposts and offers sent today, used to enforce free tier limits (5 reposts/day, 10 offers/day). Resets each day.

All of this data can be cleared at any time by removing the extension from Chrome or by clicking "Clear all data" in the extension settings.

3. What we do NOT do

We do not collect analytics or usage statistics.
We do not use cookies set by us.
We do not send any data to any server controlled by us.
We do not sell, share, or rent any data.
We do not store your Vinted password. Authentication works through your existing Vinted browser session — the same session cookies your browser already uses when you visit Vinted.

4. How the extension works

Flick reads your Vinted session tokens from cookies and uses them to make API calls to Vinted's own servers (www.vinted.co.uk and equivalent regional domains) on your behalf. This is the same mechanism your browser uses when you browse Vinted normally. The extension acts as an interface — all data flows between your browser and Vinted, with nothing in between.

For scheduled reposts, Flick uses Chrome's built-in alarm API to trigger repost runs at your configured times — even when the extension popup is closed. When an alarm fires, the extension briefly wakes up, performs the repost run using your cached session, and sends you a Chrome notification with the result.

5. Permissions we use and why

tabs — to open a hidden Vinted tab temporarily so API calls can bypass Cloudflare protection, and to detect which Vinted regional domain you use.
scripting — to run scripts inside a Vinted tab so API requests inherit your session cookies. Required for authentication.
cookies — to read your Vinted domain from session cookies so we connect to the right regional site (vinted.co.uk, vinted.fr, etc.).
storage — to save your preferences, run logs, offer history, templates, and licence cache locally in your browser.
alarms — to fire scheduled repost runs at your chosen times, even when the extension popup is closed.
notifications — to show Chrome notifications when a scheduled repost completes, fails, or is skipped.
Host permissions (22 Vinted domains + licence worker) — to make API calls to Vinted's endpoints on your behalf across all supported regional domains (vinted.co.uk, vinted.fr, vinted.de, etc.), and to validate your Pro licence key with our Cloudflare Worker at flick-licence.flick-licence.workers.dev.

6. Third-party services

The extension communicates only with:

Vinted's own servers (*.vinted.co.uk, *.vinted.fr, and equivalent regional domains) — for all API calls: wardrobe listing, item detail, photo upload, item creation/deletion, notification fetch, conversation creation, and offer sending.
flick-licence.flick-licence.workers.dev — a Cloudflare Worker (serverless function) that validates Pro licence keys. No personal data is included in these requests — only the licence key string itself. The Worker does not log or store any data beyond the key and its subscription status in Cloudflare KV.
Google Fonts (fonts.googleapis.com / fonts.gstatic.com) — the Inter font is loaded when the extension popup is opened. This is a standard web font request and does not include any personal data. If you prefer to avoid this, you can use the extension offline and the UI will fall back to system fonts.

No third-party analytics, advertising, or tracking services are used anywhere in the extension.

7. Children's privacy

Flick is not directed at children under 13. We do not knowingly collect data from children.

8. Changes to this policy

If we make material changes to this policy, we will update the "Last updated" date above and bump the extension version. Continued use of the extension after changes constitutes acceptance of the updated policy.

9. Contact

Questions about this privacy policy? Email us at useflick.app@gmail.com.

Flick is an independent tool and is not affiliated with, endorsed by, or connected to Vinted UAB.